|
|
<BR><P><SPAN class=bold><STRONG><FONT size=3>msn照片病毒images.zip病毒中毒症状:</FONT></STRONG></SPAN></P>
<P><SPAN class=bold><FONT size=2>档案编号:CISRT2007104<BR>病毒名称:IM-Worm.Win32.Agent.f(Kaspersky)<BR>病毒别名:Backdoor.Win32.Jusi.ab(瑞星)<BR>病毒大小:40,960 字节<BR>加壳方式:<BR>样本MD5:fc5415dc9054ee0934e3ff3e587de444<BR>样本SHA1:c48246a83290fa05ae8362c1d30c0dff98281cf4<BR>发现时间:2007.7<BR>更新时间:2007.7<BR>关联病毒:<BR>传播方式:通过MSN传播</FONT><BR><BR><BR><STRONG><FONT size=3><SPAN class=bold><STRONG>msn照片病毒images.zip病毒</STRONG></SPAN>技术分析</FONT><BR></STRONG>==========<BR><BR><FONT color=#000000>变种:<BR></FONT><A href="http://www.cisrt.org/bbs/viewthread.php?tid=918" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007039】通过MSN传播的IRCBot photo album.zip rdshost.dll 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=924" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007040】通过MSN传播的IRCBot photo album.zip rdfhost.dll 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=954" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007044】通过MSN传播的IRCBot photo album.zip rdihost.dll 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=1239" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007068】通过MSN传播的IRCBot photos.zip syshosts.dll 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=1421" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007079】通过MSN传播的IRCBot myalbum2007.zip sysprinters.dll 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=1584" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007101】通过MSN传播的IRCBot notiffy.dll printers.exe 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=1586" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007102】通过MSN传播的IRCBot firewallav.dll printers.exe 解决方案</U></FONT></STRONG></A><BR><A href="http://www.cisrt.org/bbs/viewthread.php?tid=1603" target=_blank><STRONG><FONT color=#000000><U>【CISRT2007103】通过MSN传播的IRCBot images.zip rafba.dll 解决方案</U></FONT></STRONG></A><BR><BR>这个MSN病毒变种在生成的文件和启动项形式上和以往不同,没有释放dll。病毒被运行后在系统目录生成包含自身副本的ZIP压缩文件:<BR><STRONG>%Windows%\images.zip<BR></STRONG>压缩包内文件名是IMG+数字,扩展名是.pif,比如IMG34814.pif。<BR><BR>同时创建一个副本:<BR><STRONG>%Windows%\winlog32.exe<BR><BR></STRONG>创建启动项:</SPAN></P>
<P><SPAN class=bold>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<BR>"MSN"="winlog32.exe"</SPAN></P>
<P><SPAN class=bold>试图使用c:\a.bat批处理停止“安全中心”和“WinVNC”服务:</SPAN></P>
<P><SPAN class=bold>@echo off<BR>net stop "Security Center"<BR>net stop winvnc4<BR>del c:\a.bat</SPAN></P>
<P><SPAN class=bold>向MSN联系人发送消息和伪装成照片的带毒压缩包%Windows%\images.zip:</SPAN></P>
<P><SPAN class=bold>LOL, you look so ugly in this picture, no joke...<BR>Should I put this on facebook/myspace?<BR>Hey m8, who is this on the right, in this picture...<BR>Sup, seen the pictures from the other night?</SPAN></P>
<P><SPAN class=bold>当对方联系人接收并打开压缩包中的病毒文件时系统受感染。</SPAN></P>
<P><SPAN class=bold>尝试连接远程IRC接收远程攻击者指令:down.basecore.info</SPAN></P>
<P><SPAN class=bold>Mutex:ahfabbg</SPAN></P><SPAN class=bold>
<P><STRONG><FONT size=3><SPAN class=bold><STRONG>msn照片病毒images.zip病毒</STRONG></SPAN>清除步骤</FONT></STRONG><BR>==========</P>
<P>1. 删除病毒的启动项:</P>
<P>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<BR>"MSN"="winlog32.exe"</P>
<P>2. 重新启动计算机</P>
<P>3. 删除病毒文件:<BR>%Windows%\images.zip<BR>%Windows%\winlog32.exe</P>
<P><SPAN class=bold><FONT color=#0033ff size=3><STRONG>msn照片病毒images.zip病毒专杀工具下载:</STRONG></FONT><A href="http://www.hotbus.cn/it/200708/2685.html"><FONT color=#0033ff size=3><STRONG>/it/200708/2685.html</STRONG></FONT></A></SPAN></P></SPAN> <BR>
|
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡